Sony PSN Breach Fits Same Trend Seen in 2011 Verizon DBIR

It now appears that Sony PSN is framing up their breach as including the injection of a “communication tool” onto an application server via a vulnerability. They simply made a change to the server that opened up a backdoor. This exactly fits the trend reported in the Verizon Data Breach Investigations Report (DBIR) of hackers and malware opening up stealthy backdoors on servers as the most commonly seen paths to stealing data. (See figure below)

So, said another way, the same methods used by script kiddies and spammers in the 1990’s to secretly take ownership of server assets are today being used by criminal organizations, hactivists, and even state sponsored agencies. And the same simple controls that could have detected server breaches in the 1990’s would also detect it today. Part of what the Verizon report calls basic, “essential controls” would have likely alerted a vast majority of breached companies as soon as the integrity of their server was compromised. If properly used, of course, is the major caveat here.

When we launched the commercial version of Tripwire onto the scene in 1998, the value proposition we were bringing to market was all about detecting the stealthy breach. Whether from hacking or malware, whether installing a backdoor or just configuring one, the industry and leading security practitioners were recognizing that perimeter firewall deterrents and signature based anti-virus were just not enough (and probably never could be). At the time Tripwire was generally referred to as host-based intrusion detection, although we were already differentiating it from what would become HIDS/HIPS products by referring to it as File Integrity Assessment. Eventually we settled on calling the category File Integrity Monitoring, and once the term was baked into Visa CISP as “required” we knew that this label would stick.

The effectiveness of the technology and the simple value proposition meant that ubiquity was right around the corner – that is, once we solved the scalability issue. Every Tripwire sales pitch included the simple point that hackers and malware generally make changes, and Tripwire detects changes. Unfortunately determining which changes were authorized in the sea of change found in the typical dynamic corporate environment was untenable to review manually, so most customers had to limit their use of Tripwire to only those systems, files, and configurations that were deemed “critical”. The authors of Visa CISP (and later PCI) were convinced that FIM was an essential control for any in-scope system, but careful to require its use only on critical files. The Tripwire R&D team went on to develop multiple automated methods of identifying unauthorized changes and lessening the administrative burden. While this should have been driving wide-scale adoption of FIM as a control to ensure the INTEGRITY of servers, the surge in ITIL focus meant it was often deployed as change auditing for the purpose of server AVAILABILITY and general operational maturity. Before long “change process enforcement” and then “PCI compliance” became the requirements driving deals, and somewhere along the way simple security, knowing that your server isn’t owned, took a back seat.

It really is time to move beyond meeting minimum required security to protect custodial data and get reacquainted with the basic security controls you can rely on:

I am more convinced than ever that a few essential controls, when implemented and monitored properly, will do more for the state of security than any hot new technology. It may be the case that if these essential controls were in place in a majority of organizations, that the criminals would be using advanced data hiding techniques and anti-forensics technologies to hide their tracks – but they aren’t, because they don’t have to.